sign in sign up
<<
Home , Space Shuttle Project, Teacher in Space Project

Report of the Presidential Commission on the Challenger Accident (In compliance with Executive Order 12546 of February 3, 1986)

Table of Contents

Volume I Preface...... 1

Chapter I - Introduction...... 2 Chapter II - Events Leading Up to the Challenger Mission...... 10 Chapter III - The Accident...... 19 Chapter IV - The Cause of the Accident...... 40 Chapter V - The Contributing Cause of the Accident...... 82 Chapter VI - An accident Rooted in History...... 120 Chapter VII - The Silent Safety Program...... 152 Chapter VIII - Pressures on the System...... 164 Chapter IX - Other Safety Considerations...... 178

Recommendations...... 198 The Commission...... 202 The Staff...... 204

Appendix A - Commission Activities...... 206 Appendix B - Commission Documentation System...... 214 Appendix C - Observations Concerning the Processing And Assembly of Flight 51-l...... 219 Appendix D - Supporting Charts and Documents...... 225

Volume II

Appendix E - Independent Test Team Report to the Commission Appendix F - Personal Observations on Reliability of Shuttle Appendix G - Human Factors Analysis Appendix H - Flight Readiness Review Treatment of O-ring Problems Appendix I - NASA Pre-Launch Activities Team Report Appendix J - NASA Mission Planning and Operations Team Report Appendix K - NASA Development and Production Team Report Appendix L - NASA Accident Analysis Team Report Appendix M - Comments by Morton Thiokol on NASA Report

Volume III

Appendix N - NASA Photo and TV Support Team Report Appendix O - NASA Search, Recovery and Reconstruction Task Force Team Report

Volume IV Hearings of the Presidential Commission on the Accident: February 6, 1986 to February 25, 1986

Volume V

Hearings of the Presidential Commission on the Space Shuttle Challenger Accident: February 26, 1986 to May 2, 1986. PREFACE

The accident of Space Shuttle Challenger, mission 51-L, interrupting for a time one of the most productive engineering, scientific and exploratory programs in history, evoked a wide range of deeply felt public responses. There was grief and sadness for the loss of seven brave members of the crew; firm national resolve that those men and women be forever enshrined in the annals of American heroes, and a determination, based on that resolve and in their memory to strengthen the so that this tragic event will become a milestone on the way to achieving the full potential that space offers to mankind.

The President, who was moved and troubled by this accident in a very personal way, appointed an independent Commission made up of persons not connected with the mission to investigate it. The mandate of the Commission was to:

1. Review the circumstances surrounding the accident to establish the probable cause or causes of the accident; and

2. Develop recommendations for corrective or other action based upon the Commission's findings and determinations.

Immediately after being appointed, the Commission moved forward with its investigation and, with the full support of the White House, held public hearings dealing with the facts leading up to the accident. In a closed society other options are available; in an open society -- unless classified matters are involved -- other options are not, either as matter of law or as a practical matter.

In this case a vigorous investigation and full disclosure of the facts were necessary. The way to deal with a failure of this magnitude is to disclose all the facts fully and openly; to take immediate steps to correct mistakes that led to the failure; and to continue the program with renewed confidence and determination.

The Commission construed its mandate somewhat broadly to include recommendations on safety matters not necessarily involved in this accident but which require attention to make future flights safer. Careful attention was given to concerns expressed by because the Space Shuttle program will only succeed if the highly qualified men and women who fly the Shuttle have confidence in the system.

However, the Commission did not construe its mandate to require a detailed investigation of all aspects of the Space Shuttle program; to review budgetary matters; or to interfere with or supersede Congress in any way in the performance of its duties. Rather, the Commission focused its attention on the safety aspects of future flights based on the lessons learned from the investigation with the objective being to return to safe flight.

Congress recognized the desirability, in the first instance, of having a single investigation of this national tragedy. It very responsibly agreed to await the Commission's findings before deciding what further action might be necessary to carry out its responsibilities.

For the first several days after the accident -- possibly because of the trauma resulting from the accident -- NASA appeared to be withholding information about the accident from the public. After the Commission began its work, and at its suggestion, NASA began releasing a great deal of information that helped to reassure the public that all aspects of the accident were being investigated and that the full story was being told in an orderly and thorough manner.

Following the suggestion of the Commission, NASA established several teams of persons not involved in the mission 51-L launch process to support the Commission and its panels. These NASA teams have cooperated with the Commission in every aspect of its work. The result has been a comprehensive and complete investigation.

The Commission believes that its investigation and report have been responsive to the request of the President and hopes that they will serve the best interests of the nation in restoring the United States space program to its preeminent position in the world.

Chapter I - Introduction

The Space Shuttle concept had its genesis in the 1960s, when the Apollo lunar landing spacecraft was in full development but had not yet flown. From the earliest days of the space program, it seemed logical that the goal of frequent, economical access to space might best be served by a resuable launch system. In February, 1967, the President's Science Advisory Committee lent weight to the idea of a reusable spacecraft by recommending that studies be made "of more economical ferrying systems, presumably involving partial or total recovery and use." In September, 1969, two months after the initial lunar landing, a Space Task Group chaired by the Vice President offered a choice of three long-range plans:

A $8-$10 billion per year program involving a manned Mars expedition, a space station in lunar orbit and a 50-person Earth-orbiting station serviced by a reusable ferry, or Space Shuttle.

An intermediate program, costing less than $8 billion annually, that would include the Mars mission.

A relatively modest $4-$5.7 billion a year program that would embrace an Earth-orbiting space station and the Space Shuttle as its link to Earth.

In March, 1970, President Nixon made it clear that, while he favored a continuing active space program, funding on the order of Apollo was not in the cards. He opted for the shuttle-tended space base as a long-range goal but deferred going ahead with the space station pending development of the shuttle vehicle. Thus the reusable Space Shuttle, earlier considered only the transport element of a broad, multi-objective space plan, became the focus of NASA's near-term future.

Chapter II - Events Leading up to the Challenger Mission

Preparations for the launch of mission 51-L were not unusual, though they were complicated by changes in the launch schedule. The sequence of complex, interrelated steps involved in producing the detailed schedule and supporting logistics necessary for a successful mission always requires intense effort and close coordination.

Flight 51-L of the Challenger was originally scheduled for July, 1985, but by the time the crew was assigned in January, 1985, launch had been postponed to late November to accommodate changes in payloads. The launch was subsequently delayed further and finally rescheduled for late January, 1986.

After a series of payload changes, the Challenger cargo included two satellites in the cargo bay and equipment in the crew compartment for experimetns that would be carried out during the mission. The payloads flown on mission 51-L are listed in this table:

Mission 51-L Payloads Tracking and Data Relay Satellite-B Spartan-Halley Satellite Comet Halley Active Monitoring Program Fluid Dynamics Experiment Phase Partitioning Experiment Shuttle Student Involvement Program Radiation Monitoring Experiment

The primary payloads were the Tracking and Data Relay Satellite (a NASA communications satellite0 and the Spartan satellite that would be deployed into orbit carrying special instruments for the observation of Halley's Comet.

The NASA communications satellite was to have been placed in a geosynchronous orbit with the aid of a booster called the . The satellite would have supported communications with the Space Shuttle and up to 23 other spacecraft.

The Spartan satellite was to have been deployed into low Earth orbit using the remote manipulator system. The Spartan instruments would have watched Halley's Comet when it was too close to the Sun for other observatories to do so. Subsequently, the satellite would have been retrieved and returned to Earth in the Shuttle payload bay.

Chapter III - The Accident

Just after liftoff at .678 seconds into the flight, photographic data show a strong puff of gray smoke was spurting from the vicinity of the aft field joint on the right Solid Rocket Booster. The two pad 39B cameras that would have recorded the precise location of the puff were inoperative. Computer graphic analysis of film from other cameras indicated the initial smoke came from the 270 to 310-degree sector of the circumference of the aft field joint of the right Solid Rocket Booster. This area of the solid booster faces the External Tank. The vaporized material streaming from the joint indicated there was not complete sealing action within the joint.

Eight more distinctive puffs of increasingly blacker smoke were recorded between .836 and 2.500 seconds. The smoke appeared to puff upwards from the joint. While each smoke puff was being left behind by the upward flight of the Shuttle, the next fresh puff could be seen near the level of the joint. The multiple smoke puffs in this sequence occurred at about four times per second, approximating the frequency of the structural load dynamics and resultant joint flexing. Computer graphics applied to NASA photos from a variety of cameras in this sequence again placed the smoke puffs' origin in the 270- to 310-degree sector of the original smoke spurt.

As the Shuttle increased its upward velocity, it flew past the emerging and expanding smoke puffs. The last smoke was seen above the field joint at 2.733 seconds.

The black color and dense composition of the smoke puffs suggest that the grease, joint insulation and rubber O-rings in the joint seal were being burned and eroded by the hot propellant gases.

At approximately 37 seconds, Challenger encountered the first of several high-altitude wind shear conditions, which lasted until about 64 seconds. The wind shear created forces on the vehicle with relatively large fluctuations. These were immediately sensed and countered by the guidance, navigation and control system.

The steering system (thrust vector control) of the Solid Rocket Booster responded to all commands and wind shear effects. The wind shear caused the steering system to be more active than on any previous flight.

Both the Shuttle main engines and the solid rockets operated at reduced thrust approaching and passing through the area of maximum dynamic pressure of 720 pounds per square foot. Main engines had been throttled up to 104 percent thrust and the Solid Rocket Boosters were increasing their thrust when the first flickering flame appeared on the right Solid Rocket Booster in the area of the aft field joint. This first very small flame was detected on image enhanced film at 58.788 seconds into the flight. It appeared to originate at about 305 degrees around the booster circumference at or near the aft field joint.

One film frame later from the same camera, the flame was visible without image enhancement. It grew into a continuous, well-defined plume at 59.262 seconds. At about the same time (60 seconds), telemetry showed a pressure differential between the chamber pressures in the right and left boosters. The right booster chamber pressure was lower, confirming the growing leak in the area of the field joint.

As the flame plume increased in size, it was deflected rearward by the aerodynamic slipstream and circumferentially by the protruding structure of the upper ring attaching the booster to the External Tank. These deflections directed the flame plume onto the surface of the External Tank. This sequence of flame spreading is confirmed by analysis of the recovered wreckage. The growing flame also impinged on the strut attaching the Solid Rocket Booster to the External Tank.

The first visual indication that swirling flame from the right Solid Rocket Booster breached the External Tank was at 64.660 seconds when there was an abrupt change in the shape and color of the plume. This indicated that it was mixing with leaking hydrogen from the External Tank. Telemetered changes in the hydrogen tank pressurization confirmed the leak. Within 45 milliseconds of the breach of the External Tank, a bright sustained glow developed on the black-tiled underside of the Challenger between it and the External Tank.

Beginning at about 72 seconds, a series of events occurred extremely rapidly that terminated the flight. Telemetered data indicate a wide variety of flight system actions that support the visual evidence of the photos as the Shuttle struggled futilely against the forces that were destroying it.

At about 72.20 seconds the lower strut linking the Solid Rocket Booster and the External Tank was severed or pulled away from the weakened hydrogen tank permitting the right Solid Rocket Booster to rotate around the upper attachment strut. This rotation is indicated by divergent yaw and pitch rates between the left and right Solid Rocket Boosters.

At 73.124 seconds,. a circumferential white vapor pattern was observed blooming from the side of the External Tank bottom dome. This was the beginning of the structural failure of hydrogen tank that culminated in the entire aft dome dropping away. This released massive amounts of liquid hydrogen from the tank and created a sudden forward thrust of about 2.8 million pounds, pushing the hydrogen tank upward into the intertank structure. At about the same time, the rotating right Solid Rocket Booster impacted the intertank structure and the lower part of the liquid oxygen tank. These structures failed at 73.137 seconds as evidenced by the white vapors appearing in the intertank region.

Within milliseconds there was massive, almost explosive, burning of the hydrogen streaming from the failed tank bottom and liquid oxygen breach in the area of the intertank.

At this point in its trajectory, while traveling at a Mach number of 1.92 at an altitude of 46,000 feet, the Challenger was totally enveloped in the explosive burn. The Challenger's reaction control system ruptured and a hypergolic burn of its propellants occurred as it exited the oxygen-hydrogen flames. The reddish brown colors of the hypergolic fuel burn are visible on the edge of the main fireball. The Orbiter, under severe aerodynamic loads, broke into several large sections which emerged from the fireball. Separate sections that can be identified on film include the main engine/tail section with the engines still burning, one wing of the Orbiter, and the forward fuselage trailing a mass of umbilical lines pulled loose from the payload bay.

STS 51-L SEQUENCE OF MAJOR EVENTS Mission Time Elapsed GMT (hr:min:sec) Event Time (secs.) Source

16:37:53.444 ME-3 Ignition Command -6.566 GPC 37:53.564 ME-2 Ignition Command -6.446 GPC 37:53.684 ME-1 Ignition Command -6.326 GPC 38:00.010 SRM Ignition Command (T=0) 0.000 GPC 38:00.018 Holddown Post 2 PIC firing 0.008 E8 Camera 38:00.260 First Continuous Vertical Motion 0.250 E9 Camera 38:00.688 Confirmed smoke above field joint on RH SRM 0.678 E60 Camera 38:00.846 Eight puffs of smoke (from 0.836 thru 2.500 sec MET) 0.836 E63 Camera 38:02.743 Last positive evidence of smoke above right aft SRB/ET attach ring 2.733 CZR-1 Camera 38:03.385 Last positive visual indication of smoke 3.375 E60 Camera 38:04.349 SSME 104% Command 4.339 E41M2076D 38:05.684 RH SRM pressure 11.8 psi above nominal 5.674 B47P2302C 38:07.734 Roll maneuver initiated 7.724 V90R5301C 38:19.869 SSME 94% Command 19.859 E41M2076D 38:21.134 Roll maneuver completed 21.124 VP0R5301C 38:35.389 SSME 65% Command 35.379 E41M2076D 38:37.000 Roll and Yaw Attitude Response to Wind (36.990 to 62.990 sec) 36.990 V95H352nC 38:51.870 SSME 104% Command 51.860 E41M2076D 38:58.798 First evidence of flame on RH SRM 58.788 E207 Camera 38:59.010 Reconstructed Max Q (720 psf) 59.000 BET 38:59.272 Continuous well defined plume on RH SRM 59.262 E207 Camera 38:59.763 Flame from RH SRM in +Z direction (seen from south side of vehicle) 59.753 E204 Camera 39:00.014 SRM pressure divergence (RH vs. LH) 60.004 B47P2302 39:00.248 First evidence of plume deflection, intermittent 60.238 E207 Camera 39:00.258 First evidence of SRB plume attaching to ET ring frame 60.248 E203 Camera 39:00.998 First evidence of plume deflection, continuous 60.988 E207 Camera 39:01.734 Peak roll rate response to wind 61.724 V90R5301C 39:02.094 Peak TVC response to wind 62.084 B58H1150C 39:02.414 Peak yaw response to wind 62.404 V90R5341C 39:02.494 RH outboard elevon actuator hinge moment spike 62.484 V58P0966C 39:03.934 RH outboard elevon actuator delta pressure change 63.924 V58P0966C 39:03.974 Start of planned pitch rate maneuver 63.964 V90R5321C 39:04.670 Change in anomalous plume shape (LH2 tank leak near 2058 ring frame) 64.660 E204 Camera 39:04.715 Bright sustained glow on sides of ET 64.705 E204 Camera 39:04.947 Start SSME gimbal angle large pitch variations 64.937 V58H1100A 39:05.174 Beginning of transient motion due to changes in aero forces due to plume 65.164 V90R5321C 39:06.774 Start ET LH2 ullage pressure deviations 66.764 T41P1700C 39:12.214 Start divergent yaw rates (RH vs. LH SRB) 72.204 V90R2528C 39:12.294 Start divergent pitch rates (RH vs. LH SRB) 72.284 V90R2525C 39:12.488 SRB major high-rate actuator command 72.478 V79H2111A 39:12.507 SSME roll gimball rates 5 deg/sec 72.497 V58H1100A 39:12.535 Vehicle max +Y lateral acceleration (+.227 g) 72.525 V98A1581C 39:12.574 SRB major high-rate actuator motion 72.564 B58H1151C 39:12.574 Start of H2 tank pressure decrease with 2 flow control valves open 72.564 T41P1700C 39:12.634 Last state vector downlinked 72.624 Data reduction 39:12.974 Start of sharp MPS LOX inlet pressure drop 72.964 V41P1330C 39:13.020 Last full computer frame of TDRS data 73.010 Data reduction 39:13.054 Start of sharp MPS LH2 inlet pressure drop 73.044 V41P1100C 39:13.055 Vehicle max -Y lateral accelerarion (-.254 g) 73.045 V98A1581C 39:13.134 Circumferential white pattern on ET aft dome (LH2 tank failure) 73.124 E204 Camera 39:13.134 RH SRM pressure 19 psi lower than LH SRM 73.124 B47P2302C 39:13.147 First hint of vapor at intertank E207 Camera 39:13.153 All engine systems start responding to loss of fuel and LOX inlet pressure 73.143 SSME team 39:13.172 Sudden cloud along ET between intertank and aft dome 73.162 E207 Camera 39:13.201 Flash between Orbiter & LH2 tank 73.191 E204 Camera 39:13.221 SSME telemetry data interference from 73.211 to 73.303 73.211 39:13.223 Flash near SRB fwd attach and brightening of flash between Orbiter and ET 73.213 E204 Camera 39:13.292 First indication intense white flash at SRB fwd attach point 73.282 E204 Camera 39:13.337 Greatly increased intensity of white flash 73.327 E204 Camera 39:13.387 Start RCS jet chamber pressure fluctuations 73.377 V42P1552A 39:13.393 All engines approaching HPFT discharge temp redline limits 73.383 E41Tn010D 39:13.492 ME-2 HPFT disch. temp Chan. A vote for shutdown; 2 strikes on Chan. B 73.482 MEC data 39:13.492 ME-2 controller last time word update 73.482 MEC data 39:13.513 ME-3 in shutdown due to HPFT discharge temperature redline exceedance 73.503 MEC data 39:13.513 ME-3 controller last time word update 73.503 MEC data 39:13.533 ME-1 in shutdown due to HPFT discharge temperature redline exceedance 73.523 Calculation 39:13.553 ME-1 last telemetered data point 73.543 Calculation 39:13.628 Last validated Orbiter telemetry measurement 73.618 V46P0120A 39:13.641 End of last reconstructured data frame with valid synchronization and frame count 73.631 Data reduction 39:14.140 Last radio frequency signal from Orbiter 74.130 Data reduction 39:14.597 Bright flash in vicinity of Orbiter nose 74.587 E204 Camera 39:16.447 RH SRB nose cap sep/chute deployment 76.437 E207 Camera 39:50.260 RH SRB RSS destruct 110.250 E202 Camera 39:50.262 LH SRB RSS destruct 110.252 E230 Camera

ACT POS -- Actuator Position APU -- Auxilixary Power Unit BET -- Best Estimated Trajectory CH -- Channel DISC -- Discharge ET -- External Tank GG -- Gas Generator GPC -- General Purpose Computer GMT -- Greenwich Mean Time HPFT -- High Pressure Fuel Turbopump LH -- Lefthand LH2 -- Liquid Hydrogen LO2 -- Liquid Oxygen (same as LOX) MAX Q -- Maximum Dynamic Pressure ME -- Main Engine (same as SSME) MEC -- Main Engine Controller MET -- Mission Elapsed Time MPS -- Main Propulsion System PC -- Chamber Pressure PIC -- Pyrotechnics Initiator Controller psf -- Pounds per square foot RCS -- Reaction Control System RGA -- Rate Gyro Assembly RH -- Righthand RSS -- Range Safety System SRM -- Solid Rocket Motor SSME -- Space Shuttle Main Engine TEMP -- Temperature TVC -- Thrust Vector Control

NOTE: The Shuttle coordinate system used is relative to the Orbiter, as follows:

+X direction = forward (tail to nose) -X direction = rearward (nose to tail) +Y direction = right (toward the right wing tip) -Y direction = left (toward the left wing tip) +Z direction = down -Z direction = up

Shuttle to Ground Telemetry Channels

Channel Sample Sample Identifier Rate Period Description (samp/sec) (sec) ======B47P1302C 12.5 .080 LH SRM CHAMBER PRESSURE B47P2302C 12.5 .080 RH SRM CHAMBER PRESSURE

B58H1150C 25 .040 LH SRB TVC TILT ACT POS B58H1151C 25 .040 LH SRB TVC ROCK ACT POS

E41M2076D 25 .040 ME-3 VEHICLE COMMAND E41T1010D 25 .040 ME-1 HPFT DISC TEMP-CH A E41T2010D 25 .040 ME-2 HPFT DISC TEMP-CH A E41T3010D 25 .040 ME-3 HPFT DISC TEMP-CH A

T41P1700C 5 .200 ET LH2 ULLAGE PRESSURE

V41P1100C 12.5 .080 MPS LH2 INLET PRESS (ME-1) V41P1330C 12.5 .080 MPS LO2 INLET PRESS (ME-3) V42P1552A 25 .040 RCS THRUSTER PC

V46P0120A 100 .010 APU-1 GG CHAMBER PRESS

Shuttle to Ground Telemetry Channels

Channel Sample Sample Identifier Rate Period Description (samp/sec) (sec) ======V58H1100A 25 .040 ME-PITCH ACTUATOR POS V58P0866C 12.5 .080 LH OB ELEVON PRI DELTA P V58P0966C 12.5 .080 RH OB ELEVON PRI DELTA P

V79H2111A 25 .040 LH SRB TILT ACT DRIVER

V90R2525C 5 .200 SEL LH SRB PITCH RATE V90R2528C 5 .200 SEL RH SRB YAW RATE

V90R5301C 5 .200 SELECTED RGA ROLL RATE V90R5321C 5 .200 SELECTED RGA PITCH RATE V90R5341C 5 .200 SELECTED RGA YAW RATE

V95H3522C 12.5 .080 BODY YAW ATTITUDE ERROR V95H3523C 12.5 .080 BODY ROLL ATTITUDE ERROR

V98A1581C 25 .040 LATERAL ACCELERATION

Chapter 4 - THE CAUSE OF THE ACCIDENT

The consensus of the Commission and participating investigative agencies is that the loss of the Space Shuttle Challenger was caused by a failure in the joint between the two lower segments of the right Solid Rocket Motor. The specific failure was the destruction of the seals that are intended to prevent hot gases from leaking through the joint during the propellant burn of the rocket motor. The evidence assembled by the Commission indicates that no other element of the Space Shuttle system contributed to this failure.

In arriving at this conclusion, the Commission reviewed in detail all available data, reports and records; directed and supervised numerous tests, analyses, and experiments by NASA, civilian contractors and various government agencies; and then developed specific scenarios and the range of most probable causative factors. FINDINGS

1. A combustion gas leak through the right Solid Rocket Motor aft field joint initiated at or shortly after ignition eventually weakened and/or penetrated the External Tank initiating vehicle structural breakup and loss of the Space Shuttle Challenger during STS Mission 51-L.

2. The evidence shows that no other STS 51-L Shuttle element or the payload contributed to the causes of the right Solid Rocket Motor aft field joint combustion gas leak. Sabotage was not a factor.

3. Evidence examined in the review of Space Shuttle material, manufacturing, assembly, quality control, and processing on non-conformance reports found no flight hardware shipped to the launch site that fell outside the limits of Shuttle design specifications.

4. Launch site activities, including assembly and preparation, from receipt of the flight hardware to launch were generally in accord with established procedures and were not considered a factor in the accident.

5. Launch site records show that the right Solid Rocket Motor segments were assembled using approved procedures. However, significant out-of-round conditions existed between the two segments joined at the right Solid Rocket Motor aft field joint (the joint that failed).

a. While the assembly conditions had the potential of generating debris or damage that could cause O-ring seal failure, these were not considered factors in this accident.

b. The diameters of the two Solid Rocket Motor segments had grown as a result of prior use.

c. The growth resulted in a condition at time of launch wherein the maximum gap between the tang and clevis in the region of the joint's O-rings was no more than .008 inches and the average gap would have been .004 inches.

d. With a tang-to-clevis gap of .004 inches, the O-ring in the joint would be compressed to the extent that it pressed against all three walls of the O-ring retaining channel.

e. The lack of roundness of the segments was such that the smallest tang-to-clevis clearance occurred at the initiation of the assembly operation at positions of 120 degrees and 300 degrees around the circumference of the aft field joint. It is uncertain if this tight condition and the resultant greater compression of the O-rings at these points persisted to the time of launch. 6. The ambient temperature at time of launch was 36 degrees Fahrenheit, or 15 degrees lower than the next coldest previous launch.

a. The temperature at the 300 degree position on the right aft field joint circumference was estimated to be 28 degrees plus or minus 5 degrees Fahrenheit. This was the coldest point on the joint.

b. Temperature on the opposite side of the right Solid Rocket Booster facing the sun was estimated to be about 50 degrees Fahrenheit.

7. Other joints on the left and right Solid Rocket Boosters experienced similar combinations of tang-to-clevis gap clearance and temperature. It is not known whether these joints experienced distress during the flight of 51-L.

8. Experimental evidence indicates that due to several effects associated with the Solid Rocket Booster's ignition and combustion pressures and associated vehicle motions, the gap between the tang and the clevis will open as much as .017 and .029 inches at the secondary and primary O-rings, respectively.

a. This opening begins upon ignition, reaches its maximum rate of opening at about 200-300 milliseconds, and is essentially complete at 600 milliseconds when the Solid Rocket Booster reaches its operating pressure.

b. The External Tank and right Solid Rocket Booster are connected by several struts, including one at 310 degrees near the aft field joint that failed. This strut's effect on the joint dynamics is to enhance the opening of the gap between the tang and clevis by about 10-20 percent in the region of 300-320 degrees.

9. O-ring resiliency is directly related to its temperature.

a. A warm O-ring that has been compressed will return to its original shape much quicker than will a cold O-ring when compression is relieved. Thus, a warm O-ring will follow the opening of the tang-to-clevis gap. A cold O-ring may not.

b. A compressed O-ring at 75 degrees Fahrenheit is five times more responsive in returning to its uncompressed shape than a cold O-ring at 30 degrees Fahrenheit.

c. As a result it is probable that the O-rings in the right solid booster aft field joint were not following the opening of the gap between the tang and cleavis at time of ignition. 10. Experiments indicate that the primary mechanism that actuates O-ring sealing is the application of gas pressure to the upstream (high-pressure) side of the O-ring as it sits in its groove or channel.

a. For this pressure actuation to work most effectively, a space between the O-ring and its upstream channel wall should exist during pressurization.

b. A tang-to-clevis gap of .004 inches, as probably existed in the failed joint, would have initially compressed the O-ring to the degreethat no clearance existed between the O-ring and its upstream channel wall and the other two surfaces of the channel.

c. At the cold launch temperature experienced, the O-ring would be very slow in returning to its normal rounded shape. It would not follow the opening of the tang-to-clevis gap. It would remain in its compressed position in the O-ring channel and not provide a space between itself and the upstream channel wall. Thus, it is probable the O-ring would not be pressure actuated to seal the gap in time to preclude joint failure due to blow-by and erosion from hot combustion gases.

11. The sealing characteristics of the Solid Rocket Booster O-rings are enhanced by timely application of motor pressure.

a. Ideally, motor pressure should be applied to actuate the O-ring and seal the joint prior to significant opening of the tang-to-clevis gap (100 to 200 milliseconds after motor ignition).

b. Experimental evidence indicates that temperature, humidity and other variables in the putty compound used to seal the joint can delay pressure application to the joint by 500 milliseconds or more.

c. This delay in pressure could be a factor in initial joint failure.

12. Of 21 launches with ambient temperatures of 61 degrees Fahrenheit or greater, only four showed signs of O-ring thermal distress; i.e., erosion or blow-by and soot. Each of the launches below 61 degrees Fahrenheit resulted in one or more O-rings showing signs of thermal distress.

a. Of these improper joint sealing actions, one-half occurred in the aft field joints, 20 percent in the center field joints, and 30 percent in the upper field joints. The division between left and right Solid Rocket Boosters was roughly equal. b. Each instance of thermal O-ring distress was accompanied by a leak path in the insulating putty. The leak path connects the rocket's combustion chamber with the O-ring region of the tang and clevis. Joints that actuated without incident may also have had these leak paths.

13. There is a possibility that there was water in the clevis of the STS 51-L joints since water was found in the STS-9 joints during a destack operation after exposure to less rainfall than STS 51-L. At time of launch, it was cold enough that water present in the joint would freeze. Tests show that ice in the joint can inhibit proper secondary seal performance.

14. A series of puffs of smoke were observed emanating from the 51-L aft field joint area of the right Solid Rocket Booster between 0.678 and 2.500 seconds after ignition of the Shuttle Solid Rocket Motors.

a. The puffs appeared at a frequency of about three puffs per second. This roughly matches the natural structural frequency of the solids at lift off and is reflected in slight cyclic changes of the tang-to-clevis gap opening.

b. The puffs were seen to be moving upward along the surface of the booster above the aft field joint.

c. The smoke was estimated to originate at a circumferential position of between 270 degrees and 315 degrees on the booster aft field joint, emerging from the top of the joint.

15. This smoke from the aft field joint at Shuttle lift off was the first sign of the failure of the Solid Rocket Booster O-ring seals on STS 51-L.

16. The leak was again clearly evident as a flame at approximately 58 seconds into the flight. It is possible that the leak was continuous but unobservable or non-existent in portions of the intervening period. It is possible in either case that thrust vectoring and normal vehicle response to wind shear as well as planned maneuvers reinitiated or magnified the leakage from a degraded seal in the period preceding the observed flames. The estimated position of the flame, centered at a point 307 degrees around the circumference of the aft field joint, was confirmed by the recovery of two fragments of the right Solid Rocket Booster.

a. A small leak could have been present that may have grown to breach the joint in flame at a time on the order of 58 to 60 seconds after lift off.

b. Alternatively, the O-ring gap could have been resealed by deposition of a fragile buildup of aluminum oxide and other combustion debris. This resealed section of the joint could have been disturbed by thrust vectoring, Space Shuttle motion and flight loads inducted by changing winds aloft.

c. The winds aloft caused control actions in the time interval of 32 seconds to 62 seconds into the flight that were typical of the largest values experienced on previous missions.

CONCLUSION

In view of the findings, the Commission concluded that the cause of the Challenger accident was the failure of the pressure seal in the aft field joint of the right Solid Rocket Booster. The failure was due to a faulty design unacceptably sensitive to a number of factors. These factors were the effects of temperature, physical dimensions, the character of materials, the effects of reusability, processing and the reaction of the joint to dynamic loading.

(Source: The Presidential Commission on the Space Shuttle Challenger Accident Report, June 6, 1986 p.40, p.70-81)

Chapter 5 -THE CONTRIBUTING CAUSE OF THE ACCIDENT

The decision to launch the Challenger was flawed. Those who made that decision were unaware of the recent history of problems concerning the O-rings and the joint and were unaware of the initial written recommendation of the contractor advising against the launch at temperatures below 53 degrees Fahrenheit and the continuing opposition of the engineers at Thiokol after the management reversed its position. They did not have a clear understanding of Rockwell's concern that it was not safe to launch because of ice on the pad. If the decision makers had known all of the facts, it is highly unlikely that they would have decided to launch 51-L on January 28, 1986.

FINDINGS

1. The Commission concluded that there was a serious flaw in the decision making process leading up to the launch of flight 51-L. A well structured and managed system emphasizing safety would have flagged the rising doubts about the Solid Rocket Booster joint seal. Had these matters been clearly stated and emphasized in the flight readiness process in terms reflecting the views of most of the Thiokol engineers and at least some of the Marshall engineers, it seems likely that the launch of 51-L might not have occurred when it did.

2. The waiving of launch constraints appears to have been at the expense of flight safety. There was no system which made it imperative that launch constraints and waivers of launch constraints be considered by all levels of management.

3. The Commission is troubled by what appears to be a propensity of management at Marshall to contain potentially serious problems and to attempt to resolve them internally rather than communicate them forward. This tendency is altogether at odds with the need for Marshall to function as part of a system working toward successful flight missions, interfacing and communicating with the other parts of the system that work to the same end.

4. The Commission concluded that the Thiokol Management reversed its position and recommended the launch of 51-L, at the urging of Marshall and contrary to the views of its engineers in order to accommodate a major customer.

Findings The Commission is concerned about three aspects of the ice-on-the-pad issue.

1. An Analysis of all of the testimony and interviews establishes that Rockwell's recommendation on launch was ambiguous. The Commission finds it difficult, as did Mr. Aldrich, to conclude that there was a no-launch recommendation. Moreover, all parties were asked specifically to contact Aldrich or other NASA officials after the 9:00 Mission Management Team meeting and subsequent to the resumption of the countdown.

2. The Commission is also concerned about the NASA response to the Rockwell position at the 9:00 a.m. meeting. While it is understood that decisions have to be made in launching a Shuttle, the Commission is not convinced Levels I and II appropriately considered Rockwell's concern about the ice. However ambiguous Rockwell's position was, it is clear that they did tell NASA that the ice was an unknown condition. Given the extent of the ice on the pad, the admitted unknown effect of the Solid Rocket Motor and Space Shuttle Main Engines ignition on the ice, as well as the fact that debris striking the Orbiter was a potential flight safety hazard, the Commission finds the decision to launch questionable under those circumstances. In this situation, NASA appeared to be requiring a contractor to prove that it was not safe to launch, rather than proving it was safe. Nevertheless, the Commission has determined that the ice was not a cause of the 51-L accident and does not conclude that NASA's decision to launch specifically overrode a no-launch recommendation by an element contractor.

3. The Commission concluded that the freeze protection plan for launch pad 39B was inadequate. The Commission believes that the severe cold and presence of so much ice on the fixed made it inadvisable to launch on the morning of January 28, and that margins of safety were whittled down too far.

Additionally, access to the crew emergency slide wire baskets was hazardous due to ice conditions. Had the crew been required to evacuate the Orbiter on the launch pad, they would have been running on an icy surface. The Commission believes the crew should have been made aware of the condition, greater consideration should have been given to delaying the launch.

(Source: The Presidential Commission on the Space Shuttle Challenger Accident Report, June 6, 1986 p.82, p.104, p.117-118)

Chapter 6 - AN ACCIDENT ROOTED IN HISTORY

EARLY DESIGN

The Space Shuttle's Solid Rocket Booster problem began with the faulty design of its joint and increased as both NASA and contractor management first failed to recognize it as a problem, then failed to fix it and finally treated it as an acceptable flight risk.

Morton Thiokol, Inc., the contractor, did not accept the implication of tests early in the program that the design had a serious and unanticipated flaw. NASA did not accept the judgment of its engineers that the design was unacceptable, and as the joint problems grew in number and severity NASA minimized them in management briefings and reports. Thiokol's stated position was that "the condition is not desirable but is acceptable."

Neither Thiokol nor NASA expected the rubber O-rings sealing the joints to be touched by hot gases of motor ignition, much less to be partially burned. However, as tests and then flights confirmed damage to the sealing rings, the reaction by both NASA and Thiokol was to increase the amount of damage considered "acceptable." At no time did management either recommend a redesign of the joint or call for the Shuttle's grounding until the problem was solved.

FINDINGS

The genesis of the Challenger accident -- the failure of the joint of the right Solid Rocket Motor -- began with decisions made in the design of the joint and in the failure by both Thiokol and NASA's Solid Rocket Booster project office to understand and respond to facts obtained during testing.

The Commission has concluded that neither Thiokol nor NASA responded adequately to internal warnings about the faulty seal design. Furthermore, Thiokol and NASA did not make a timely attempt to develop and verify a new seal after the initial design was shown to be deficient. Neither organization developed a solution to the unexpected occurrences of O-ring erosion and blow-by even though this problem was experienced frequently during the Shuttle flight history. Instead, Thiokol and NASA management came to accept erosion and blow-by as unavoidable and an acceptable flight risk. Specifically, the Commission has found that:

1. The joint test and certification program was inadequate. There was no requirement to configure the qualifications test motor as it would be in flight, and the motors were static tested in a horizontal position, not in the vertical flight position.

2. Prior to the accident, neither NASA nor Thiokol fully understood the mechanism by which the joint sealing action took place.

3. NASA and Thiokol accepted escalating risk apparently because they "got away with it last time." As Commissioner Feynman observed, the decision making was:

"a kind of Russian roulette. ... (The Shuttle) flies (with O-ring erosion) and nothing happens. Then it is suggested, therefore, that the risk is no longer so high for the next flights. We can lower our standards a little bit because we got away with it last time. ... You got away with it, but it shouldn't be done over and over again like that."

4. NASA's system for tracking anomalies for Flight Readiness Reviews failed in that, despite a history of persistent O-ring erosion and blow-by, flight was still permitted. It failed again in the strange sequence of six consecutive launch constraint waivers prior to 51-L, permitting it to fly without any record of a waiver, or even of an explicit constraint. Tracking and continuing only anomalies that are "outside the data base" of prior flight allowed major problems to be removed from and lost by the reporting system.

5. The O-ring erosion history presented to Level I at NASA Headquarters in August 1985 was sufficiently detailed to require corrective action prior to the next flight.

6. A careful analysis of the flight history of O-ring performance would have revealed the correlation of O-ring damage and low temperature. Neither NASA nor Thiokol carried out such an analysis; consequently, they were unprepared to properly evaluate the risks of launching the 51-L mission in conditions more extreme than they had encountered before.

(Source: The Presidential Commission on the Space Shuttle Challenger Accident Report, June 6, 1986 p.120, p148)

Chapter 7 - THE SILENT SAFETY PROGRAM

The Commission was surprised to realize after many hours of testimony that NASA's safety staff was never mentioned. No witness related the approval or disapproval of the reliability engineers, and none expressed the satisfaction or dissatisfaction of the quality assurance staff. No one thought to invite a safety representative or a reliability and quality assurance engineer to the January 27, 1986, teleconference between Marshall and Thiokol. Similarly, there was no representative of safety on the Mission Management Team that made key decisions during the countdown on January 28, 1986. The Commission is concerned about the symptoms that it sees.

The unrelenting pressure to meet the demands of an accelerating flight schedule might have been adequately handled by NASA if it had insisted upon the exactingly thorough procedures that were its hallmark during the Apollo program. An extensive and redundant safety program comprising interdependent safety, reliability and quality assurance functions existed during and after the lunar program to discover any potential safety problems. Between that period and 1986, however, the program became ineffective. This loss of effectiveness seriously degraded the checks and balances essential for maintaining flight safety.

On April 3, 1986, Arnold Aldrich, the Space Shuttle program manager, appeared before the Commission at a public hearing in Washington, D.C. He described five different communication or organization failures that affected the launch decision on January 28, 1986. Four of those failures relate directly to faults within the safety program. These faults include a lack of problem reporting requirements, inadequate trend analysis, misrepresentation of criticality and lack of involvement in critical discussions. A properly staffed, supported, and robust safety organization might well have avoided these faults and thus eliminated the communication failures.

NASA has a safety program to ensure that the communication failures to which Mr. Aldrich referred do not occur. In the case of mission 51-L, that program fell short.

FINDINGS

1. Reductions in the safety, reliability and quality assurance work force at Marshall and NASA Headquarters have seriously limited capability in those vital functions.

2. Organizational structures at Kennedy and Marshall have placed safety, reliability and quality assurance offices under the supervision of the very organizations and activities whose efforts they are to check.

3. Problem reporting requirements are not concise and fail to get critical information to the proper levels of management.

4. Little or no trend analysis was performed on O-ring erosion and blow-by problems.

5. As the flight rate increased, the Marshall safety, reliability and quality assurance work force was decreasing, which adversely affected mission safety.

6. Five weeks after the 51-L accident, the criticality of the Solid Rocket Motor field joint was still not properly documented in the problem reporting system at Marshall.

(Source: The Presidential Commission on the Space Shuttle Challenger Accident Report, June 6, 1986 p.152, p161)

Chapter 8 - PRESSURES ON THE SYSTEM

With the 1982 completion of the orbital flight test series, NASA began a planned acceleration of the Space Shuttle launch schedule. One early plan contemplated an eventual rate of a mission a week, but realism forced several downward revisions. In 1985, NASA published a projection calling for an annual rate of 24 flights by 1990. Long before the Challenger accident, however, it was becoming obvious that even the modified goal of two flights a month was overambitious.

In establishing the schedule, NASA had not provided adequate resources for its attainment. As a result, the capabilities of the system were strained by the modest nine-mission rate of 1985, and the evidence suggests that NASA would not have been able to accomplish the 14 flights scheduled for 1986. These are the major conclusions of a Commission examination of the pressures and problems attendant upon the accelerated launch schedule.

FINDINGS

1. The capabilities of the system were stretched to the limit to support the flight rate in winter 1985/1986. Projections into the spring and summer of 1986 showed a clear trend; the system, as it existed, would have been unable to deliver crew training software for scheduled flights by the designated dates. The result would have been an unacceptable compression of the time available for the crews to accomplish their required training. 2. Spare parts are in critically short supply. The Shuttle program made a conscious decision to postpone spare parts procurements in favor of budget items of perceived higher priority. Lack of spare parts would likely have limited flight operations in 1986.

3. Stated manifesting policies are not enforced. Numerous late manifest changes (after the cargo integration review) have been made to both major payloads and minor payloads throughout the Shuttle program.

Late changes to major payloads or program requirements can require extensive resources (money, manpower, facilities) to implement.

If many late changes to "minor" payloads occur, resources are quickly absorbed.

Payload specialists frequently were added to a flight well after announced deadlines.

Late changes to a mission adversely affect the training and development of procedures for subsequent missions.

4. The scheduled flight rate did not accurately reflect the capabilities and resources.

The flight rate was not reduced to accommodate periods of adjustment in the capacity of the work force. There was no margin in the system to accommodate unforeseen hardware problems.

Resources were primarily directed toward supporting the flights and thus not enough were available to improve and expand facilities needed to support a higher flight rate.

5. Training simulators may be the limiting factor on the flight rate: the two current simulators cannot train crews for more than 12-15 flights per year.

6. When flights come in rapid succession, current requirements do not ensure that critical anomalies occurring during one flight are identified and addressed appropriately before the next flight.

(Source: The Presidential Commission on the Space Shuttle Challenger Accident Report, June 6, 1986 p.164, p.176)

Chapter 9 - OTHER SAFETY CONSIDERATIONS

In the course of its investigation, the Commission became aware of a number of matters that played no part in the mission 51-L accident but nonetheless hold a potential for safety problems in the future. Some of these matters, those involving operational concerns, were brought directly to the Commission's attention by the NASA office. They were the subject of a special hearing.

Other areas of concern came to light as the Commission pursued various lines of investigation in its attempt to isolate the cause of the accident. These inquiries examined such aspects as the development and operation of each of the elements of the Space Shuttle -- the Orbiter, its main engines and the External Tank; the procedures employed in the processing and assembly of 51-L, and launch damage.

This chapter examines potential risks in two general areas. The first embraces critical aspects of a Shuttle flight; for example, considerations related to a possible premature mission termination during the ascent phase and the risk factors connected with the demanding approach and landing phase. The other focuses on testing, processing and assembling the various elements of the Shuttle.

ASCENT: A Critical Phase

The events of flight 51-L dramatically illustrated the dangers of the first stage of a Space Shuttle ascent. The accident also focused attention on the issues of Orbiter abort capabilities and crew escape. Of particular concern to the Commission are the current abort capabilities, options to improve those capabilities, options for crew escape and the performance of the range safety system.

It is not the Commission's intent to second-guess the Space Shuttle design or try to depict escape provisions that might have saved the 51-L crew. In fact, the events that led to destruction of the Challenger progressed very rapidly and without warning. Under those circumstances, the Commission believes it is highly unlikely that any of the systems discussed below, or any combination of those systems, would have saved the flight 51-L crew.

FINDINGS

1. The Space Shuttle System was not designed to survive a failure of the Solid Rocket Boosters. There are no corrective actions that can be taken if the boosters do not operate properly after ignition, i.e., there is no ability to separate an Orbiter safely from thrusting boosters and no ability for the crew to escape the vehicle during first-stage ascent.

Neither the Mission Control Team not the 51-L crew had any warning of impending disaster.

Even if there had been warning, there were no actions available to the crew of the Mission Control Team to avert the disaster.

LANDING: Another Critical Phase

The consequences of faulty performance in any dynamic and demanding flight environment can be catastrophic. The Commission was concerned that an insufficient safety margin may have existed in areas other than Shuttle ascent. Entry and landing of the Shuttle are dynamic and demanding with all the risks and complications inherent in flying a heavyweight glider with a very steep glide path. Since the Shuttle crew cannot divert to any alternate landing site after entry, the landing decision must be both timely and accurate. In addition, the landing gear, which includes wheels, tires and brakes, must function properly.

In summary, although there are valid programmatic reasons to land routinely at Kennedy, there are concerns that suggest that this is not wise under the present circumstances. While planned landings at Edwards carry a cost in dollars and days, the realities of weather cannot be ignored. Shuttle program officials must recognize that Edwards is a permanent, essential part of the program. The cost associated with regular scheduled landing and turnaround operations at Edwards is thus a necessary program cost.

Decisions governing Space Shuttle operations must be consistent with the philosophy that unnecessary risks have to be eliminated. Such decisions cannot be made without a clear understanding of margins of safety in each part of the system.

Unfortunately, margins of safety cannot be assured if performance characteristics are not thoroughly understood, nor can they be deduced from a previous flight's "success."

The Shuttle program cannot afford to operate outside its experience in the areas of tires, brakes and weather, with the capabilities of the system today. Pending a clear understanding of all landing and deceleration systems, and a resolution of the problems encountered to date in Shuttle landings, the most conservative course must be followed in order to minimize risk during this dynamic phase of flight.

SHUTTLE ELEMENTS

The Space Shuttle Main Engine teams at Marshall and Rocketdyne have developed engines that have achieved their performance goals and have performed extremely well. Nevertheless the main engines continue to be highly complex and critical components of the Shuttle that involve an element of risk principally because important components of the engines degrade more rapidly with flight use than anticipated. Both NASA and Rocketdyne have taken steps to contain that risk. An important aspect of the main engine program has been the extensive "hot fire" ground tests. Unfortunately, the vitality of the test program has been reduced because of budgetary constraints.

The number of engine test firings per month has decreased over the past two years. Yet this test program has not yet demonstrated the limits of engine operation parameters or included tests over the full operating envelope to show full engine capability. In addition, tests have not yet been deliberately conducted to the point of failure to determine actual engine operating margins.

The Orbiter has also performed well. There is, however, one serious petential failure mode related to the disconnect valves between the Orbiter and the External Tank. The present design includes two 17-inch diameter valves, one controlling the oxygen flow, and the other the hydrogen flow from the tank to the Orbiter's three engines. Each of the disconnect valves has two flappers that close off the flow of the liquid hydrogen and oxygen when the External Tank separates from the Orbiter. An inavertent closure by any of the four flappers during normal engine operation would cause a catastrophe due to rupture of supply line and/or tank. New designs are under study, incorporating modifications to prevent inadvertent valve closures. Redesigned valves could be qualified, certified and available for use on the Shuttle's next flight.

While the External tank has performed flawlessly during all Shuttle flights, one area of concern pertains to the indicators for the two valves which vent the liquid hydrogen and liquid oxygen. These valves can indicate they are closed when they might be partially open. This condition is potentially hazardous, since leaks of either gaseous oxygen or hydrogen prior to launch, or in flight, could lead to fires. This could, in turn lead to catastrophic failure of the External Tank. NASA is currently studying design modifications to the valve position indicators. This effort could be expedited and the redesigned indicators installed before the next flight of the Shuttle.

(Source: The Presidential Commission on the Space Shuttle Challenger Accident Report, June 6, 1986 p.178, p.192)

NASA ACTIONS TO IMPLEMENT COMMISSION RECOMMENDATIONS (Source: Actions to Implement the Recommendations of The Presidential Commission on the Space Shuttle Challenger Accident, Executive Summary, July 14, 1986, NASA Headquarters) On June 13, 1986, the President directed NASA to implement, as soon as possible, the recommendations of the Presidential Commission on the Space Shuttle Challenger Accident. The President requested that NASA report, within 30 days, how and when the recommendations will be implemented, including milestones by which progress can be measured.

In the months since the Challenger accident, the NASA team has spent many hours in support of the Presidential Commission on the Space Shuttle Challenger Accident and in planning for a return of the Shuttle to safe flight status. Chairman William P. Rogers and the other members of the Commission have rendered the Nation and NASA an exceptional service. The work of the Commission was extremely thorough and comprehensive. NASA agrees with the Commission's recommendations and is vigorously pursuing the actions required to implement and comply with them.

As a result of the efforts in support of the Commission, many of the actions required to safely return the Space Shuttle to flight status have been under way since March. On March 24, 1986, the Associate Administrator for Space Flight outlined a comprehensive strategy, and defined major actions, for safely returning to flight status. The March 24 memorandum (Commission Activities: An Overview) provided guidance on the following subjects:

actions required prior to next flight, first flight/first year operations, and development of sustainable safe flight rate.

The Commission report was submitted to the President on June 9, 1986. Since that time, NASA has taken additional actions and provided direction required to comply with the Commission's recommendations.

The NASA Administrator and the Associate Administrator for Space Flight will participate in the key management decisions required for implementing the Commission recommendations and for returning the Space Shuttle to flight status. NASA will report to the President on the status of the implementation program in June 1987.

The Commission report included nine recommendations, and a summary of the implementation status for each is provided:

RECOMMENDATION I Solid Rocket Motor Design:

On March 24, 1986, the Marshall Space Flight Center (MSFC) was directed to form a Solid Rocket Motor (SSRM) joint redesign team to include participation from MSFC and other NASA centers as well as individuals from outside NASA. The team includes personnel from Johnson Space Center, , Langley Research Center, industry, and the Astronaut Office. To assist the redesign team, an expert advisory panel was appointed which includes 12 people with six coming from outside NASA.

The team has evaluated several design alternatives, and analysis and testing are in progress to determine the preferred approaches which minimize hardware redesign. To ensure adequate program contingency in this effort, the redesign team will also develop, at least through concept definition, a totally new design which does not utilize existing hardware. The design verification and certification program will be emphasized and will include tests which duplicate the actual launch loads as closely as feasible and provide for tests over the full range of operating conditions. The verification effort includes a trade study which has been under way for several weeks to determine the preferred test orientation (vertical or horizontal) of the full-scale motor firings. The Solid Rocket Motor redesign and certification schedule is under review to fully understand and plan for the implementation of the design solutions as they are finalized and assessed. The schedule will be reassessed after the SRM Preliminary Design Review in September 1986. At this time it appears that the first launch will not occur prior to the first quarter of 1988.

Independent Oversight: In accordance with the Commission's recommendation, the National Research Council (NRC) has established an Independent Oversight Group chaired by Dr. H. Guyford Stever and reporting to the NASA Administrator. The NRC Oversight Group has been briefed on Shuttle system requirements, implementation, and control; Solid Rocket Motor background; and candidate modifications. The group has established a near-term plan that includes briefings and visits to review inflight loads; assembly processing; redesign status; and other solid rocket motor designs, including participation in the Solid Rocket Motor preliminary design review in September 1986.

RECOMMENDATION II Shuttle Management Structure:

The Administrator has appointed General Sam Phillips, who served as Apollo Program Director, to study every aspect of how NASA manages its programs, including relationships between various field centers and NASA Headquarters. General Phillips has broad authority from the Administrator to explore every aspect of NASA organization, management and procedures. His activities will include a review of the Space Shuttle management structure.

On June 25, 1986, Astronaut Robert Crippen was directed to form a fact-finding group to assess the Space Shuttle management structure. The group will report recommendations to the Associate Administrator for Space Flight by August 15, 1986. Specifically, this group will address the roles and responsibilities of the Space Shuttle Program Manager to assure that the position has the authority commensurate with its responsibilities. In addition, roles and responsibilities at all levels of program management will be reviewed to specify the relationship between the program organization and the field center organizations. The results of this study will be reviewed with General Phillips and the Administrator with a decision on implementation of the recommendations by October 1, 1986.

Astronauts in Management Rear Admiral Richard Truly, a former astronaut, has been appointed as Associate Administrator for the Office of Space Flight. Several active astronauts are currently serving in management positions in the agency. The Crippen group will address means to stimulate the transition of astronauts into other management positions. It will also determine the appropriate position for the Flight Crew Operations Directorate within the NASA organizational structure.

Shuttle Safety Panel A Shuttle Safety Panel will be established by the Associate Administrator for Space Flight not later than September 1, 1986, with direct access to the Space Shuttle Program Manager. This date allows time to determine the structure and function of this panel, including an assessment of its relationship to the newly formed Office of Safety, Reliability, and Quality Assurance, and to the existing Aerospace Safety Advisory Panel.

RECOMMENDATION III Critical Item Review and Hazard Analysis

On March 13, 1986, NASA initiated a complete review of all Space Shuttle program failure modes and effects analyses (FEMEA's) and associated critical item lists (CIL's). Each element and associated prime contractor is conducting separate comprehensive reviews which will culminate in a program-wide review with the Space Shuttle program have been assigned as formal members of each of these review teams. All Criticality 1 and 1R critical item waivers have been cancelled. The teams are required to reassess and resubmit waivers in categories recommended for continued program applicability. Items which cannot be revalidated will be redesigned, qualified, and certified for flight. All Criticality 2 and 3 CIL's are being reviewed for reacceptance and proper categorization. This activity will culminate in a comprehensive final review with NASA Headquarters beginning in March 1987.

As recommended by the Commission, the National Research Council has agreed to form an Independent Audit Panel, reporting to the NASA Administrator, to verify the adequacy of this effort.

RECOMMENDATION IV Safety Organization The NASA Administrator announced the appointment of Mr. George A. Rodney to the position of Associate Administrator for Safety, Reliability, and Quality Assurance on July 8, 1986. The responsibilities of this office will include the oversight of safety, reliability, and quality assurance functions related to all NASA activities and programs and the implementation of a system for anomaly documentation and resolution to include a trend analysis program. One of the first activities to be undertaken by the new Associate Administrator will be an assessment of the resources including workforce required to ensure adequate execution of the safety organization functions. In addition, the new Associate Administrator will assure appropriate interfaces between the functions of the new safety organization and the Shuttle Safety Panel which will be established in response to the Commission Recommendation II.

RECOMMENDATION V

Improved Communications On June 25, 1986, Astronaut Robert Crippen was directed to form a team to develop plans and recommended policies for the following:

Implementation of effective management communications at all levels.

Standardization of the imposition and removal of STS launch constraints and other operational constraints.

Conduct of Flight Readiness Review and Mission Management Team meetings, including requirements for documentation and flight crew participation.

Since this recommendation is closely linked with the recommendation on Shuttle management structure, the study team will incorporate the plan for improved communications with that for management restructure.

This review of effective communications will consider the activities and information flow at NASA Headquarters and the field centers which support the Shuttle program. The study team will present findings and recommendations to the Associate Administrator for Space Flight by August 15, 1986.

RECOMMENDATION VI Landing Safety

A Landing Safety Team has been established to review and implement the Commission's findings and recommendations on landing safety. All Shuttle hardware and systems are undergoing design reviews to insure compliance with the specifications and safety concerns. The tires, brakes, and nose wheel steering system are included in this activity, and funding for a new carbon brakes system has been approved. Runway surface tests and landing aid requirement reviews had been under way for some time prior to the accident and are continuing. Landing aid implementation will be complete by July 1987. The interim brake system will be delivered by August 1987. Improved methods of local weather forecasting and weather-related support are being developed. Until the Shuttle program has demonstrated satisfactory safety margins through high fidelity testing and during actual landings at , the Kennedy Space Center landing site will not be used for nominal end-of-mission landings. Dual Orbiter ferry capability has been an issue for some time and will be thoroughly considered during the upcoming months.

RECOMMENDATION VII Launch Abort and Crew Escape

On April 7, 1986, NASA initiated a Shuttle Crew Egress and Escape review. The scope of this analysis includes egress and escape capabilities from launch through landing and will provide analyses, concepts, feasibility assessments, cost, and schedules for pad abort, bailout, ejection systems, water landings, and powered flight separation. This review will specifically assess options for crew escape during controlled gliding flight and options for extending the intact abort flight envelope to include failure of 2 or 3 main engines during the early ascent phase. In conjunction with this activity, a Launch Abort Reassessment Team was established to review all launch and launch abort rules to ensure that launch commit criteria, flight rules, range safety systems and procedures, landing aids, runway configurations and lengths, performance versus abort exposure, abort and end-of-mission landing weights, runway surfaces, and other landing-related capabilities provide the proper margin of safety to the vehicle and crew. Crew escape and launch abort studies will be complete on October 1, 1986, with an implementation decision in December 1986.

RECOMMENDATION VIII Flight Rate

In March 1986 NASA established a Flight Rate Capability Working Group. Two flight rate capability studies are under way: (1) a study of capabilities and constraints which govern the Shuttle processing flows at the Kennedy Space Center and

(2) a study by the Johnson Space Center to assess the impact of flight specific crew training and software delivery/certification on flight rates.

The working group will present flight rate recommendations to the Office of Space Flight by August 15, 1986. Other collateral studies are still in progress which address Presidential Commission recommendations related to spares provisioning, maintenance, and structural inspection. This effort will also consider the National Research Council independent review of flight rate which is under way as a result of a Congressional Subcommittee request.

NASA strongly supports a mixed fleet to satisfy launch requirements and actions to revitalize the United States expendable launch vehicle capabilities.

Additionally, a new cargo manifest policy is being formulated by NASA Headquarters which will establish manifest ground rules and impose constraints to late changes. Manifest control policy recommendations will be completed in November 1986.

RECOMMENDATION IX Maintenance Safeguards

A Maintenance Safeguards Team has been established to develop a comprehensive plan for defining and implementing actions to comply with the Commission recommendations concerning maintenance activities. A Maintenance Plan is being prepared to ensure that uniform maintenance requirements are imposed on all elements of the Space Shuttle program. This plan will define the structure that will be used to document (1) hardware inspections and schedules, (2) planned maintenance activities, (3) Maintenance procedures configuration control, and (4) Maintenance logistics.

The plan will also define organizational responsibilities, reporting, and control requirements for Space Shuttle maintenance activities. The maintenance plan will be completed by September 30, 1986.

A number of other activities are underway which will contribute to a return to safe flight and strengthening the NASA organization. A Space Shuttle Design Requirements Review Team headed by the Space Shuttle Systems Integration Office at Johnson Space Center has been assigned to review all Shuttle design requirements and associated technical verification. The team will focus on each Shuttle project element and on total Space Shuttle system design requirements. This activity will culminate in a Space Shuttle Incremental Design Certification Review approximately 3 months prior to the next Space Shuttle Launch.

In consideration of the number, complexity, and interrelationships between the many activities leading to the next flight, the Space Shuttle Program Manager at Johnson Space Center has initiated a series of formal Program Management Reviews for the Space Shuttle program. These reviews are structured to be regular face-to-face discussions involving the managers of all major Space Shuttle program activities. Specific subjects to be discussed at each meeting will focus on progress, schedules, and actions associated with each of the major program review activities and will be tailored directly to current program activity for the time period involved. The first of these meetings was held at Marshall Space Flight Center on May 5-6, 1986, with the second at Kennedy Space Center on June 25, 1986. Follow-on reviews will be held approximately every 6 weeks. Results of these reviews will be reported to the Associate Administrator for Space Flight and to the NASA Administrator.

On June 19, 1986, the NASA Administrator announced termination of the development of the Centaur upper stage for use aboard the Space Shuttle. Use of the Centaur upper stage was planned for NASA planetary spacecraft launches as well as for certain national security satellite launches. Majority safety reviews of the Centaur system were under way at the time of the Challenger accident, and these reviews were intensified in recent months to determine if the program should be continued. The final decision to terminate the Centaur stage for use with the Shuttle was made on the basis that even following certain modifications identified by the ongoing reviews, the resultant stage would not meet safety criteria being applied to other cargo or elements of the Space Shuttle System. NASA has initiated efforts to examine other launch vehicle alternatives for the major NASA planetary and scientific payloads which were scheduled to utilize the Centaur upper stage. NASA is providing assistance to the Department of Defense as it examines alternatives for those national security missions which had planned to use the Shuttle/Centaur.

The NASA Administrator has announced a number of Space Station organizational and management structural actions designed to strengthen technical and management capabilities in preparation for moving into the development phase of the Space Station program. The decision to create the new structure is the result of recommendations made to the Administrator by a committee, headed by General Phillips, which is conducting a long range assessment of NASA's overall capabilities and requirements.

Finally, NASA is developing plans for increased staffing in critical areas and is working closely with the Office of Personnel Management to develop a NASA specific proposal which would provide for needed changes to the NASA personnel management system to strengthen our ability to attract, retain, and motivate the quality workforce required to conduct the NASA mission.

RECOMMENDATIONS OF THE PRESIDENTIAL COMMISSION

The Commission has conducted an extensive investigation of the Challenger accident to determine the probable cause and necessary corrective actions. Based on the findings and determinations of its investigation, the Commission has unanimously adopted recommendations to help assure the return to safe flight.

The Commission urges that the Administrator of NASA submit, one year from now, a report to the President on the progress that NASA has made in effecting the Commission's recommendations set forth below:

I DESIGN The faulty Solid Rocket Motor joint and seal must be changed. This could be a new design eliminating the joint or a redesign of the current joint and seal. No design options should be prematurely precluded because of schedule, cost or reliance on existing hardware. All Solid Rocket Motor joints should satisfy the following requirements:

The joints should be fully understood, tested and verified.

The integrity of the structure and of the seals of all joints should be not less than that of the case walls throughout the design envelope.

The integrity of the joints should be insensitive to: --Dimensional tolerances. --Transportation and handling. --Assembly procedures. --Inspection and test procedures. --Environmental effects. --Internal case operating pressure. --Recovery and reuse effects. --Flight and water impact loads.

The certification of the new design should include: --Tests which duplicate the actual launch configuration as closely as possible. --Tests over the full range of operating conditions, including temperature.

Full consideration should be given to conducting static firings of the exact flight configuration in a vertical attitude.

INDEPENDENT OVERSIGHT The Administrator of NASA should request the National Research Council to form an independent Solid Rocket Motor design oversight committee to implement the Commission's design recommendations and oversee the design effort. This committee should:

Review and evaluate certification requirements. Provide technical oversight of the design, test program and certification. Report to the Administrator of NASA on the adequacy of the design and make appropriate recommendations.

II SHUTTLE MANAGEMENT STRUCTURE The Shuttle Program Structure should be reviewed. The project managers for the various elements of the Shuttle program felt more accountable to their center management than to the Shuttle program organization. Shuttle element funding, work package definition, and vital program information frequently bypass the National STS (Shuttle) Program Manager.

A redefinition of the Program Manager's responsibility is essential. This redefinition should give the Program Manager the requisite authority for all ongoing STS operations. Program funding and all Shuttle Program work at the centers should be placed clearly under the Program Manager's authority.

ASTRONAUTS IN MANAGEMENT The Commission observes that there appears to be a departure from the philosophy of the 1960s and 1970s relating to the use of astronauts in management positions. These individuals brought to their positions flight experience and a keen appreciation of operations and flight safety.

NASA should encourage the transition of qualified astronauts into agency management positions.

The function of the Flight Crew Operations director should be elevated in the NASA organization structure.

SHUTTLE SAFETY PANEL NASA should establish an STS Safety Advisory Panel reporting to the STS Program Manager. The Charter of this panel should include Shuttle operational issues, launch commit criteria, flight rules, flight readiness and risk management. The panel should include representation from the safety organization, mission operations, and the astronaut office.

III CRITICALITY REVIEW AND HAZARD ANALYSIS NASA and the primary Shuttle contractors should review all Criticality 1, 1R, 2, and 2R items and hazard analyses. This review should identify those items that must be improved prior to flight to ensure mission safety. An Audit Panel, appointed by the National Research Council, should verify the adequacy of the effort and report directly to the Administrator of NASA.

IV SAFETY ORGANIZATION NASA should establish an Office of Safety, Reliability and Quality Assurance to be headed by an Associate administrator, reporting directly to the NASA Administrator. It would have direct authority for safety, reliability, and quality assurance throughout the agency. The office should be assigned the work force to ensure adequate oversight of its functions and should be independent of other NASA functional and program responsibilities.

The responsibilities of this office should include:

The safety, reliability and quality assurance functions as they relate to all NASA activities and programs.

Direction of reporting and documentation of problems, problem resolution and trends associated with flight safety.

V IMPROVED COMMUNICATIONS The Commission found that Marshall Space Flight Center project managers, because of a tendency at Marshall to management isolation, failed to provide full and timely information bearing on the safety of flight 51-L to other vital elements of Shuttle program management.

NASA should take energetic steps to eliminate this tendency at Marshall Space Flight Center, whether by changes of personnel, organization, indoctrination or all three.

A policy should be developed which governs the imposition and removal of Shuttle launch constraints.

Flight Readiness Reviews and Mission Management Team meetings should be recorded.

The flight crew commander, or a designated representative, should attend the Flight Readiness Review, participate in acceptance of the vehicle for flight, and certify that the crew is properly prepared for flight.

VI LANDING SAFETY NASA must take actions to improve landing safety.

The tire, brake and nosewheel steering systems must be improved. These systems do not have sufficient safety margin, particularly at abort landing sites.

The specific conditions under which planned landings at Kennedy would be acceptable should be determined. Criteria must be established for tires, brakes and nosewheel steering. Until the systems meet those criteria in high fidelity testing that is verified at Edwards, landing at Kennedy should not be planned.

Committing to a specific landing site requires that landing area weather be forecast more than an hour in advance. During unpredictable weather periods at Kennedy, program officials should plan on Edwards landings. Increased landings at Edwards may necessitate a dual ferry capability.

VII LAUNCH ABORT AND CREW ESCAPE The Shuttle program management considered first-stage abort options and crew escape options several times during the history of the program, but because of limited utility, technical infeasibility, or program cost and schedule, no systems were implemented. The Commission recommends that NASA:

Make all efforts to provide a crew escape system for use during controlled gliding flight.

Make every effort to increase the range of flight conditions under which an emergency runway landing can be successfully conducted in the event that two or three main engines fail early in ascent.

VIII FLIGHT RATE The nation's reliance on the Shuttle as its principal space launch capability created a relentless pressure on NASA to increase the flight rate. Such reliance on a single launch capability should be avoided in the future.

NASA must establish a flight rate that is consistent with its resources. A firm payload assignment policy should be established. The policy should include rigorous controls on cargo manifest changes to limit the pressures such changes exert on schedules and crew training.

IX MAINTENANCE SAFEGUARDS Installation, test, and maintenance procedures must be especially rigorous for Space Shuttle items designated Criticality 1. NASA should establish a system of analyzing and reporting performance trends of such items.

Maintenance procedures for such items should be specified in the Critical Items List, especially for those such as the liquid-fueled main engines, which require unstinting maintenance and overhaul.

With regard to the Orbiters, NASA should:

Develop and execute a comprehensive maintenance inspection plan.

Perform periodic structural inspections when scheduled and not permit them to be waived.

Restore and support the maintenance and spare parts programs, and stop the practice of removing parts from one Orbiter to supply another.

CONCLUDING THOUGHT The Commission urges that NASA continue to receive the support of the Administration and the nation. The agency constitutes a national resource that plays a critical role in space exploration and development. It also provides a symbol of national pride and technological leadership.

The Commission applauds NASA's spectacular achievements of the past and anticipates impressive achievements to come. The findings and recommendations presented in this report are intended to contribute to the future NASA successes that the nation both expects and requires as the 21st century approaches. PRESIDENTIAL COMMISSION ON THE SPACE SHUTTLE CHALLENGER ACCIDENT (Source: The Presidential Commission on the Space Shuttle Challenger Accident Report, June 6, 1986)

William P. Rogers, Chairman Former Secretary of State under President Nixon (1969-1973), and Attorney General under President Eisenhower (1957-1961), currently a practicing attorney and senior partner in the law firm of Rogers & Wells. Born in Norfolk, New York, he was awarded the Medal of Freedom in 1973. He holds a J.D. from Cornell University (1937) and served as LCDR, U.S. Navy (1942-1946).

Neil A. Armstrong, Vice Chairman Former astronaut, currently Chairman of the Board of Computing Technologies for Aviation, Inc. Born in Wapakoneta, Ohio, Mr. Armstrong was spacecraft commander for Apollo 11, July 16-24, 1969, the first manned lunar landing mission. He was Professor of Aeronautical Engineering at the University of Cincinnati from 1971 to 1980 and was appointed to the National Commission on Space in 1985.

David C. Acheson Former Senior Vice President and General Counsel, Communications Satellite Corporation (1967-1974), currently a partner in the law firm of Drinker Biddle & Reath. Born in Washington, DC, he previously served as an attorney with the U.S. Atomic Energy Commission (1948-1950) and was U.S. Attorney for the District of Columbia (1961-1965). He holds an LL.B. from Harvard University (1948) and served as LT, U.S. Navy (1942-1946).

Dr. Eugene E. Covert Educator and engineer. Born in Rapid City, South Dakota, he is currently Professor and Head, Department of Aeronautics and Astronautics, at Massachusetts Institute of Technology. Member of the National Academy of Engineering, he was a recipient of the Exceptional Civilian Service Award, USAF, in 1973 and the NASA Public Service Award in 1980. He holds a Doctorate in Science from Massachusetts Institute of Technology.

Dr. Richard P. Feynman Physicist. Born in New York City, he is Professor of Theoretical Physics at California Institute of Technology. Nobel Prize winner in Physics, 1965, he also received the Einstein Award in 1954, the Oersted Medal in 1972 and the Niels Bohr International Gold Medal in 1973. He holds a Doctorate in Physics from Princeton (1942).

Robert B. Hotz Editor, publisher. Born in Milwaukee, Wisconsin. He is a graduate of Northwestern University. He was the editor-in-chief of Aviation Week & Space Technology magazine (1953-1980). He served in the Air Force in World War II and was awarded the Air Medal with Oak Leaf Cluster. Since 1982, he has been a member of the General Advisory Committee to the Arms Control and Disarmament Agency.

Major General Donald J. Kutyna, USAF Director of Space Systems and Command, Control, Communications. Born in Chicago, Illinois, and graduate of the U.S. Military Academy, he holds a Master of Science degree from Massachusetts Institute of Technology (1965). A command pilot with over 4,000 flight hours, he is a recipient of the Distinguished Service Medal, Distinguished Flying Cross, Legion of Merit and nine air medals.

Dr. Sally K. Ride Astronaut. Born in Los Angeles, California, she was a on STS-7, launched on June 18, 1983, becoming the first American woman in space. She also flew on mission 41-G launched October 5, 1984. She holds a Doctorate in Physics from Stanford University (1978) and is still an active astronaut.

Robert W. Rummel Space expert and aerospace engineer. Born in Dakota, Illinois, and former Vice President of Trans World Airlines, he is currently President of Robert W. Rummel Associates, Inc., of Mesa, Arizona. He is a member of the National Academy of Engineering and is holder of the NASA Distinguished Public Service Medal.

Joseph F. Sutter Aeronautical engineer. Currently Executive Vice President of the Boeing Commercial Airplane Company. Born in Seattle, he has been with Boeing since 1945 and was a principal figure in the development of three generations of jet aircraft. In 1984, he was elected to the National Academy of Engineering. In 1985, President Reagan conferred on him the U.S. National Medal of Technology.

Dr. Arthur B. C. Walker, Jr. Astronomer. Born in Cleveland, Ohio, he is currently Professor of Applied Physics and was formerly Associate Dean of the Graduate Division at Stanford University. Consultant to Aerospace Corporation, Rand Corporation and the National Science Foundation, he is a member of the American Physical Society, American Geophysical Union, and the American Astronomy Society. He holds a Doctorate in Physics from the University of Illinois (1962).

Dr. Albert D. Wheelon Physicist. Born in Moline, Illinois, he is currently Executive Vice President, Hughes Aircraft Company. Also a member of the President's Foreign Intelligence Advisory Board, he served as a consultant to the President's Science Advisory Council from 1961 to 1974. He holds a Doctorate in Physics from Massachusetts Institute of Technology (1952).

Brigadier General Charles Yeager, USAF (Retired) Former experimental test pilot. Born in Myra, West Virginia, he was appointed in 1985 as a member of the National Commission on Space. He was the first person to penetrate the sound barrier and the first to fly at a speed of more than 1,600 miles an hour.

Dr. Alton G. Keel, Jr., Executive Director Detailed to the Commission from his position in the Executive Office of the President, Office of Management and Budget, as Associate Director for National Security and International Affairs; formerly Assistant Secretary of the Air Force for Research, Development and Logistics; and Senate Staff. Born in Newport News, Virginia, he holds a Doctorate in Engineering Physics from the University of Virginia (1970).

PRESIDENTIAL COMMISSION STAFF Dr. Alton G. Keel, Jr. Executive Director White House Thomas T. Reinhardt Executive Secretary MAJ, USA/OMB

Special Assistants Marie C. Hunter Executive Assistant Rogers & Wells to the Chairman M. M. Black Personal Secretary OMB to Vice Chairman & Executive Director Mark D. Weinberg Media Relations White House Herb Hetu Media Relations Consultant John T. Shepherd NASA Tasking CAPT, USN(Ret)/Atty. Coordination

Administrative Staff Steven B. Hyle Administrative Officer LTC, USAF Patt Sullivan Administrative Assistant NASA Marilyn Stumpf Travel Coordination NASA Joleen A. B. Bottalico Travel Coordination NASA Jane M. Green Secretary NASA Lorraine K. Walton Secretary NASA Vera A. Barnes Secretary NASA Virginia A. James Receptionist Contract Support

Investigative Staff William G. Dupree Investigator, Development DOD IG and Production John B. Hungerford, Jr. Investigator, Development LTC, USAF and Production John P. Chase Investigator, MAJ, USMC/DOD IG Pre-Launch Activities Brewster Shaw Investigator, LTC, USAF/NASA Pre-Launch Activities Astronaut John C. Macidull Investigator, Accident FAA/CDR, USNR-R Analysis Ron Waite Investigator, Accident Engineering Analysis Consultant John Fabian Investigator Mission COL, USAF/Former Planning & Operations Astronaut Emily M. Trapnell Coordinator, General FAA Atty. Investigative Activities Randy R. Kehrli Evidence Analysis DOJ Atty. E. Thomas Almon Investigator Special Agent, FBI Patrick J. Maley Investigator Special Agent, FBI John R. Molesworth, Jr. Investigator Special Agent, FBI Robert C. Thompson Investigator Special Agent, FBI Dr. R. Curtis Graeber Human Factors Specialist LTC, USA/NASA Michael L. Marx Metallurgist NTSB

Writing Support Woods Hansen Editor Free Lance James Haggerty Writer Free Lance Anthony E. Hartle Writer COL, USA/USMA William Bauman Writer CAPT, USAF/USAFA Frank Gillen Word Processing Supervisor Contract Support Lawrence J. Herb Art Layout Free Lance Willis Rickert Printer NASA Lynne Komai Design Contract Support

Documentation Support Clarisse Abramidis Case Manager DOJ Fritz Geurtsen Project Manager DOJ John Dunbar Contract Representative Contract Support Valarie Lease Support Center Supervisor Contract Support Stephen M. Croll Correspondence Support Contract Support

Independent Test Observers Eugene G. Haberman Rocket Propulsion Lab USAF Wilbur W. Wells Rocket Propulsion Lab USAF Don E. Kennedy TRW Ballistic Missile Office Pro Bono Laddie E.Dufka Aerospace Corp Pro Bono Mohan Aswani Aerospace Corp Pro Bono Michael L. Marx Metallurgist NTSB Appendix F - Personal observations on the reliability of the Shuttle

by R. P. Feynman

Introduction

It appears that there are enormous differences of opinion as to the probability of a failure with loss of vehicle and of human life. The estimates range from roughly 1 in 100 to 1 in 100,000. The higher figures come from the working engineers, and the very low figures from management. What are the causes and consequences of this lack of agreement? Since 1 part in 100,000 would imply that one could put a Shuttle up each day for 300 years expecting to lose only one, we could properly ask "What is the cause of management's fantastic faith in the machinery?"

We have also found that certification criteria used in Flight Readiness Reviews often develop a gradually decreasing strictness. The argument that the same risk was flown before without failure is often accepted as an argument for the safety of accepting it again. Because of this, obvious weaknesses are accepted again and again, sometimes without a sufficiently serious attempt to remedy them, or to delay a flight because of their continued presence.

There are several sources of information. There are published criteria for certification, including a history of modifications in the form of waivers and deviations. In addition, the records of the Flight Readiness Reviews for each flight document the arguments used to accept the risks of the flight. Information was obtained from the direct testimony and the reports of the range safety officer, Louis J. Ullian, with respect to the history of success of solid fuel rockets. There was a further study by him (as chairman of the launch abort safety panel (LASP)) in an attempt to determine the risks involved in possible accidents leading to radioactive contamination from attempting to fly a plutonium power supply (RTG) for future planetary missions. The NASA study of the same question is also available. For the History of the Space Shuttle Main Engines, interviews with management and engineers at Marshall, and informal interviews with engineers at Rocketdyne, were made. An independent (Cal Tech) mechanical engineer who consulted for NASA about engines was also interviewed informally. A visit to Johnson was made to gather information on the reliability of the avionics (computers, sensors, and effectors). Finally there is a report "A Review of Certification Practices, Potentially Applicable to Man-rated Reusable Rocket Engines," prepared at the Jet Propulsion Laboratory by N. Moore, et al., in February, 1986, for NASA Headquarters, Office of Space Flight. It deals with the methods used by the FAA and the military to certify their gas turbine and rocket engines. These authors were also interviewed informally. Solid Rockets (SRB)

An estimate of the reliability of solid rockets was made by the range safety officer, by studying the experience of all previous rocket flights. Out of a total of nearly 2,900 flights, 121 failed (1 in 25). This includes, however, what may be called, early errors, rockets flown for the first few times in which design errors are discovered and fixed. A more reasonable figure for the mature rockets might be 1 in 50. With special care in the selection of parts and in inspection, a figure of below 1 in 100 might be achieved but 1 in 1,000 is probably not attainable with today's technology. (Since there are two rockets on the Shuttle, these rocket failure rates must be doubled to get Shuttle failure rates from Solid Rocket Booster failure.)

NASA officials argue that the figure is much lower. They point out that these figures are for unmanned rockets but since the Shuttle is a manned vehicle "the probability of mission success is necessarily very close to 1.0." It is not very clear what this phrase means. Does it mean it is close to 1 or that it ought to be close to 1? They go on to explain "Historically this extremely high degree of mission success has given rise to a difference in philosophy between manned space flight programs and unmanned programs; i.e., numerical probability usage versus engineering judgment." (These quotations are from "Space Shuttle Data for Planetary Mission RTG Safety Analysis," Pages 3-1, 3-1, February 15, 1985, NASA, JSC.) It is true that if the probability of failure was as low as 1 in 100,000 it would take an inordinate number of tests to determine it ( you would get nothing but a string of perfect flights from which no precise figure, other than that the probability is likely less than the number of such flights in the string so far). But, if the real probability is not so small, flights would show troubles, near failures, and possible actual failures with a reasonable number of trials. and standard statistical methods could give a reasonable estimate. In fact, previous NASA experience had shown, on occasion, just such difficulties, near accidents, and accidents, all giving warning that the probability of flight failure was not so very small. The inconsistency of the argument not to determine reliability through historical experience, as the range safety officer did, is that NASA also appeals to history, beginning "Historically this high degree of mission success..."

Finally, if we are to replace standard numerical probability usage with engineering judgment, why do we find such an enormous disparity between the management estimate and the judgment of the engineers? It would appear that, for whatever purpose, be it for internal or external consumption, the management of NASA exaggerates the reliability of its product, to the point of fantasy.

The history of the certification and Flight Readiness Reviews will not be repeated here. (See other part of Commission reports.) The phenomenon of accepting for flight, seals that had shown erosion and blow-by in previous flights, is very clear. The Challenger flight is an excellent example. There are several references to flights that had gone before. The acceptance and success of these flights is taken as evidence of safety. But erosion and blow-by are not what the design expected. They are warnings that something is wrong. The equipment is not operating as expected, and therefore there is a danger that it can operate with even wider deviations in this unexpected and not thoroughly understood way. The fact that this danger did not lead to a catastrophe before is no guarantee that it will not the next time, unless it is completely understood. When playing Russian roulette the fact that the first shot got off safely is little comfort for the next. The origin and consequences of the erosion and blow-by were not understood. They did not occur equally on all flights and all joints; sometimes more, and sometimes less. Why not sometime, when whatever conditions determined it were right, still more leading to catastrophe?

In spite of these variations from case to case, officials behaved as if they understood it, giving apparently logical arguments to each other often depending on the "success" of previous flights. For example. in determining if flight 51-L was safe to fly in the face of ring erosion in flight 51-C, it was noted that the erosion depth was only one-third of the radius. It had been noted in an experiment cutting the ring that cutting it as deep as one radius was necessary before the ring failed. Instead of being very concerned that variations of poorly understood conditions might reasonably create a deeper erosion this time, it was asserted, there was "a safety factor of three." This is a strange use of the engineer's term ,"safety factor." If a bridge is built to withstand a certain load without the beams permanently deforming, cracking, or breaking, it may be designed for the materials used to actually stand up under three times the load. This "safety factor" is to allow for uncertain excesses of load, or unknown extra loads, or weaknesses in the material that might have unexpected flaws, etc. If now the expected load comes on to the new bridge and a crack appears in a beam, this is a failure of the design. There was no safety factor at all; even though the bridge did not actually collapse because the crack went only one-third of the way through the beam. The O-rings of the Solid Rocket Boosters were not designed to erode. Erosion was a clue that something was wrong. Erosion was not something from which safety can be inferred.

There was no way, without full understanding, that one could have confidence that conditions the next time might not produce erosion three times more severe than the time before. Nevertheless, officials fooled themselves into thinking they had such understanding and confidence, in spite of the peculiar variations from case to case. A mathematical model was made to calculate erosion. This was a model based not on physical understanding but on empirical curve fitting. To be more detailed, it was supposed a stream of hot gas impinged on the O-ring material, and the heat was determined at the point of stagnation (so far, with reasonable physical, thermodynamic laws). But to determine how much rubber eroded it was assumed this depended only on this heat by a formula suggested by data on a similar material. A logarithmic plot suggested a straight line, so it was supposed that the erosion varied as the .58 power of the heat, the .58 being determined by a nearest fit. At any rate, adjusting some other numbers, it was determined that the model agreed with the erosion (to depth of one-third the radius of the ring). There is nothing much so wrong with this as believing the answer! Uncertainties appear everywhere. How strong the gas stream might be was unpredictable, it depended on holes formed in the putty. Blow-by showed that the ring might fail even though not, or only partially eroded through. The empirical formula was known to be uncertain, for it did not go directly through the very data points by which it was determined. There were a cloud of points some twice above, and some twice below the fitted curve, so erosions twice predicted were reasonable from that cause alone. Similar uncertainties surrounded the other constants in the formula, etc., etc. When using a mathematical model careful attention must be given to uncertainties in the model.

Liquid Fuel Engine (SSME)

During the flight of 51-L the three Space Shuttle Main Engines all worked perfectly, even, at the last moment, beginning to shut down the engines as the fuel supply began to fail. The question arises, however, as to whether, had it failed, and we were to investigate it in as much detail as we did the Solid Rocket Booster, we would find a similar lack of attention to faults and a deteriorating reliability. In other words, were the organization weaknesses that contributed to the accident confined to the Solid Rocket Booster sector or were they a more general characteristic of NASA? To that end the Space Shuttle Main Engines and the avionics were both investigated. No similar study of the Orbiter, or the External Tank were made.

The engine is a much more complicated structure than the Solid Rocket Booster, and a great deal more detailed engineering goes into it. Generally, the engineering seems to be of high quality and apparently considerable attention is paid to deficiencies and faults found in operation.

The usual way that such engines are designed (for military or civilian aircraft) may be called the component system, or bottom-up design. First it is necessary to thoroughly understand the properties and limitations of the materials to be used (for turbine blades, for example), and tests are begun in experimental rigs to determine those. With this knowledge larger component parts (such as bearings) are designed and tested individually. As deficiencies and design errors are noted they are corrected and verified with further testing. Since one tests only parts at a time these tests and modifications are not overly expensive. Finally one works up to the final design of the entire engine, to the necessary specifications. There is a good chance, by this time that the engine will generally succeed, or that any failures are easily isolated and analyzed because the failure modes, limitations of materials, etc., are so well understood. There is a very good chance that the modifications to the engine to get around the final difficulties are not very hard to make, for most of the serious problems have already been discovered and dealt with in the earlier, less expensive, stages of the process.

The Space Shuttle Main Engine was handled in a different manner, top down, we might say. The engine was designed and put together all at once with relatively little detailed preliminary study of the material and components. Then when troubles are found in the bearings, turbine blades, coolant pipes, etc., it is more expensive and difficult to discover the causes and make changes. For example, cracks have been found in the turbine blades of the high pressure oxygen turbopump. Are they caused by flaws in the material, the effect of the oxygen atmosphere on the properties of the material, the thermal stresses of startup or shutdown, the vibration and stresses of steady running, or mainly at some resonance at certain speeds, etc.? How long can we run from crack initiation to crack failure, and how does this depend on power level? Using the completed engine as a test bed to resolve such questions is extremely expensive. One does not wish to lose an entire engine in order to find out where and how failure occurs. Yet, an accurate knowledge of this information is essential to acquire a confidence in the engine reliability in use. Without detailed understanding, confidence can not be attained.

A further disadvantage of the top-down method is that, if an understanding of a fault is obtained, a simple fix, such as a new shape for the turbine housing, may be impossible to implement without a redesign of the entire engine.

The Space Shuttle Main Engine is a very remarkable machine. It has a greater ratio of thrust to weight than any previous engine. It is built at the edge of, or outside of, previous engineering experience. Therefore, as expected, many different kinds of flaws and difficulties have turned up. Because, unfortunately, it was built in the top-down manner, they are difficult to find and fix. The design aim of a lifetime of 55 missions equivalent firings (27,000 seconds of operation, either in a mission of 500 seconds, or on a test stand) has not been obtained. The engine now requires very frequent maintenance and replacement of important parts, such as turbopumps, bearings, sheet metal housings, etc. The high-pressure fuel turbopump had to be replaced every three or four mission equivalents (although that may have been fixed, now) and the high pressure oxygen turbopump every five or six. This is at most ten percent of the original specification. But our main concern here is the determination of reliability.

In a total of about 250,000 seconds of operation, the engines have failed seriously perhaps 16 times. Engineering pays close attention to these failings and tries to remedy them as quickly as possible. This it does by test studies on special rigs experimentally designed for the flaws in question, by careful inspection of the engine for suggestive clues (like cracks), and by considerable study and analysis. In this way, in spite of the difficulties of top-down design, through hard work, many of the problems have apparently been solved.

A list of some of the problems follows. Those followed by an asterisk (*) are probably solved:

1.Turbine blade cracks in high pressure fuel turbopumps (HPFTP). (May have been solved.)

2.Turbine blade cracks in high pressure oxygen turbopumps (HPOTP).

3.Augmented Spark Igniter (ASI) line rupture.*

4.Purge check valve failure.*

5.ASI chamber erosion.*

6.HPFTP turbine sheet metal cracking.

7.HPFTP coolant liner failure.*

8.Main combustion chamber outlet elbow failure.*

9.Main combustion chamber inlet elbow weld offset.*

10.HPOTP subsynchronous whirl.*

11.Flight acceleration safety cutoff system (partial failure in a redundant system).*

12.Bearing spalling (partially solved).

13.A vibration at 4,000 Hertz making some engines inoperable, etc.

Many of these solved problems are the early difficulties of a new design, for 13 of them occurred in the first 125,000 seconds and only three in the second 125,000 seconds. Naturally, one can never be sure that all the bugs are out, and, for some, the fix may not have addressed the true cause. Thus, it is not unreasonable to guess there may be at least one surprise in the next 250,000 seconds, a probability of 1/500 per engine per mission. On a mission there are three engines, but some accidents would possibly be contained, and only affect one engine. The system can abort with only two engines. Therefore let us say that the unknown suprises do not, even of themselves, permit us to guess that the probability of mission failure do to the Space Shuttle Main Engine is less than 1/500. To this we must add the chance of failure from known, but as yet unsolved, problems (those without the asterisk in the list above). These we discuss below. (Engineers at Rocketdyne, the manufacturer, estimate the total probability as 1/10,000. Engineers at marshal estimate it as 1/300, while NASA management, to whom these engineers report, claims it is 1/100,000. An independent engineer consulting for NASA thought 1 or 2 per 100 a reasonable estimate.)

The history of the certification principles for these engines is confusing and difficult to explain. Initially the rule seems to have been that two sample engines must each have had twice the time operating without failure as the operating time of the engine to be certified (rule of 2x). At least that is the FAA practice, and NASA seems to have adopted it, originally expecting the certified time to be 10 missions (hence 20 missions for each sample). Obviously the best engines to use for comparison would be those of greatest total (flight plus test) operating time -- the so-called "fleet leaders." But what if a third sample and several others fail in a short time? Surely we will not be safe because two were unusual in lasting longer. The short time might be more representative of the real possibilities, and in the spirit of the safety factor of 2, we should only operate at half the time of the short-lived samples.

The slow shift toward decreasing safety factor can be seen in many examples. We take that of the HPFTP turbine blades. First of all the idea of testing an entire engine was abandoned. Each engine number has had many important parts (like the turbopumps themselves) replaced at frequent intervals, so that the rule must be shifted from engines to components. We accept an HPFTP for a certification time if two samples have each run successfully for twice that time (and of course, as a practical matter, no longer insisting that this time be as large as 10 missions). But what is "successfully?" The FAA calls a turbine blade crack a failure, in order, in practice, to really provide a safety factor greater than 2. There is some time that an engine can run between the time a crack originally starts until the time it has grown large enough to fracture. (The FAA is contemplating new rules that take this extra safety time into account, but only if it is very carefully analyzed through known models within a known range of experience and with materials thoroughly tested. None of these conditions apply to the Space Shuttle Main Engine.

Cracks were found in many second stage HPFTP turbine blades. In one case three were found after 1,900 seconds, while in another they were not found after 4,200 seconds, although usually these longer runs showed cracks. To follow this story further we shall have to realize that the stress depends a great deal on the power level. The Challenger flight was to be at, and previous flights had been at, a power level called 104% of rated power level during most of the time the engines were operating. Judging from some material data it is supposed that at the level 104% of rated power level, the time to crack is about twice that at 109% or full power level (FPL). Future flights were to be at this level because of heavier payloads, and many tests were made at this level. Therefore dividing time at 104% by 2, we obtain units called equivalent full power level (EFPL). (Obviously, some uncertainty is introduced by that, but it has not been studied.) The earliest cracks mentioned above occurred at 1,375 EFPL.

Now the certification rule becomes "limit all second stage blades to a maximum of 1,375 seconds EFPL." If one objects that the safety factor of 2 is lost it is pointed out that the one turbine ran for 3,800 seconds EFPL without cracks, and half of this is 1,900 so we are being more conservative. We have fooled ourselves in three ways. First we have only one sample, and it is not the fleet leader, for the other two samples of 3,800 or more seconds had 17 cracked blades between them. (There are 59 blades in the engine.) Next we have abandoned the 2x rule and substituted equal time. And finally, 1,375 is where we did see a crack. We can say that no crack had been found below 1,375, but the last time we looked and saw no cracks was 1,100 seconds EFPL. We do not know when the crack formed between these times, for example cracks may have formed at 1,150 seconds EFPL. (Approximately 2/3 of the blade sets tested in excess of 1,375 seconds EFPL had cracks. Some recent experiments have, indeed, shown cracks as early as 1,150 seconds.) It was important to keep the number high, for the Challenger was to fly an engine very close to the limit by the time the flight was over.

Finally it is claimed that the criteria are not abandoned, and the system is safe, by giving up the FAA convention that there should be no cracks, and considering only a completely fractured blade a failure. With this definition no engine has yet failed. The idea is that since there is sufficient time for a crack to grow to a fracture we can insure that all is safe by inspecting all blades for cracks. If they are found, replace them, and if none are found we have enough time for a safe mission. This makes the crack problem not a flight safety problem, but merely a maintenance problem.

This may in fact be true. But how well do we know that cracks always grow slowly enough that no fracture can occur in a mission? Three engines have run for long times with a few cracked blades (about 3,000 seconds EFPL) with no blades broken off.

But a fix for this cracking may have been found. By changing the blade shape, shot-peening the surface, and covering with insulation to exclude thermal shock, the blades have not cracked so far.

A very similar story appears in the history of certification of the HPOTP, but we shall not give the details here.

It is evident, in summary, that the Flight Readiness Reviews and certification rules show a deterioration for some of the problems of the Space Shuttle Main Engine that is closely analogous to the deterioration seen in the rules for the Solid Rocket Booster.

Avionics

By "avionics" is meant the computer system on the Orbiter as well as its input sensors and output actuators. At first we will restrict ourselves to the computers proper and not be concerned with the reliability of the input information from the sensors of temperature, pressure, etc., nor with whether the computer output is faithfully followed by the actuators of rocket firings, mechanical controls, displays to astronauts, etc.

The computer system is very elaborate, having over 250,000 lines of code. It is responsible, among many other things, for the automatic control of the entire ascent to orbit, and for the descent until well into the atmosphere (below Mach 1) once one button is pushed deciding the landing site desired. It would be possible to make the entire landing automatically (except that the landing gear lowering signal is expressly left out of computer control, and must be provided by the pilot, ostensibly for safety reasons) but such an entirely automatic landing is probably not as safe as a pilot controlled landing. During orbital flight it is used in the control of payloads, in displaying information to the astronauts, and the exchange of information to the ground. It is evident that the safety of flight requires guaranteed accuracy of this elaborate system of computer hardware and software.

In brief, the hardware reliability is ensured by having four essentially independent identical computer systems. Where possible each sensor also has multiple copies, usually four, and each copy feeds all four of the computer lines. If the inputs from the sensors disagree, depending on circumstances, certain averages, or a majority selection is used as the effective input. The algorithm used by each of the four computers is exactly the same, so their inputs (since each sees all copies of the sensors) are the same. Therefore at each step the results in each computer should be identical. From time to time they are compared, but because they might operate at slightly different speeds a system of stopping and waiting at specific times is instituted before each comparison is made. If one of the computers disagrees, or is too late in having its answer ready, the three which do agree are assumed to be correct and the errant computer is taken completely out of the system. If, now, another computer fails, as judged by the agreement of the other two, it is taken out of the system, and the rest of the flight canceled, and descent to the landing site is instituted, controlled by the two remaining computers. It is seen that this is a redundant system since the failure of only one computer does not affect the mission. Finally, as an extra feature of safety, there is a fifth independent computer, whose memory is loaded with only the programs of ascent and descent, and which is capable of controlling the descent if there is a failure of more than two of the computers of the main line four.

There is not enough room in the memory of the main line computers for all the programs of ascent, descent, and payload programs in flight, so the memory is loaded about four time from tapes, by the astronauts.

Because of the enormous effort required to replace the software for such an elaborate system, and for checking a new system out, no change has been made to the hardware since the system began about fifteen years ago. The actual hardware is obsolete; for example, the memories are of the old ferrite core type. It is becoming more difficult to find manufacturers to supply such old-fashioned computers reliably and of high quality. Modern computers are very much more reliable, can run much faster, simplifying circuits, and allowing more to be done, and would not require so much loading of memory, for the memories are much larger.

The software is checked very carefully in a bottom-up fashion. First, each new line of code is checked, then sections of code or modules with special functions are verified. The scope is increased step by step until the new changes are incorporated into a complete system and checked. This complete output is considered the final product, newly released. But completely independently there is an independent verification group, that takes an adversary attitude to the software development group, and tests and verifies the software as if it were a customer of the delivered product. There is additional verification in using the new programs in simulators, etc. A discovery of an error during verification testing is considered very serious, and its origin studied very carefully to avoid such mistakes in the future. Such unexpected errors have been found only about six times in all the programming and program changing (for new or altered payloads) that has been done. The principle that is followed is that all the verification is not an aspect of program safety, it is merely a test of that safety, in a non-catastrophic verification. Flight safety is to be judged solely on how well the programs do in the verification tests. A failure here generates considerable concern.

To summarize then, the computer software checking system and attitude is of the highest quality. There appears to be no process of gradually fooling oneself while degrading standards so characteristic of the Solid Rocket Booster or Space Shuttle Main Engine safety systems. To be sure, there have been recent suggestions by management to curtail such elaborate and expensive tests as being unnecessary at this late date in Shuttle history. This must be resisted for it does not appreciate the mutual subtle influences, and sources of error generated by even small changes of one part of a program on another. There are perpetual requests for changes as new payloads and new demands and modifications are suggested by the users. Changes are expensive because they require extensive testing. The proper way to save money is to curtail the number of requested changes, not the quality of testing for each.

One might add that the elaborate system could be very much improved by more modern hardware and programming techniques. Any outside competition would have all the advantages of starting over, and whether that is a good idea for NASA now should be carefully considered.

Finally, returning to the sensors and actuators of the avionics system, we find that the attitude to system failure and reliability is not nearly as good as for the computer system. For example, a difficulty was found with certain temperature sensors sometimes failing. Yet 18 months later the same sensors were still being used, still sometimes failing, until a launch had to be scrubbed because two of them failed at the same time. Even on a succeeding flight this unreliable sensor was used again. Again reaction control systems, the rocket jets used for reorienting and control in flight still are somewhat unreliable. There is considerable redundancy, but a long history of failures, none of which has yet been extensive enough to seriously affect flight. The action of the jets is checked by sensors, and, if they fail to fire the computers choose another jet to fire. But they are not designed to fail, and the problem should be solved.

Conclusions

If a reasonable launch schedule is to be maintained, engineering often cannot be done fast enough to keep up with the expectations of originally conservative certification criteria designed to guarantee a very safe vehicle. In these situations, subtly, and often with apparently logical arguments, the criteria are altered so that flights may still be certified in time. They therefore fly in a relatively unsafe condition, with a chance of failure of the order of a percent (it is difficult to be more accurate).

Official management, on the other hand, claims to believe the probability of failure is a thousand times less. One reason for this may be an attempt to assure the government of NASA perfection and success in order to ensure the supply of funds. The other may be that they sincerely believed it to be true, demonstrating an almost incredible lack of communication between themselves and their working engineers.

In any event this has had very unfortunate consequences, the most serious of which is to encourage ordinary citizens to fly in such a dangerous machine, as if it had attained the safety of an ordinary airliner. The astronauts, like test pilots, should know their risks, and we honor them for their courage. Who can doubt that McAuliffe was equally a person of great courage, who was closer to an awareness of the true risk than NASA management would have us believe?

Let us make recommendations to ensure that NASA officials deal in a world of reality in understanding technological weaknesses and imperfections well enough to be actively trying to eliminate them. They must live in reality in comparing the costs and utility of the Shuttle to other methods of entering space. And they must be realistic in making contracts, in estimating costs, and the difficulty of the projects. Only realistic flight schedules should be proposed, schedules that have a reasonable chance of being met. If in this way the government would not support them, then so be it. NASA owes it to the citizens from whom it asks support to be frank, honest, and informative, so that these citizens can make the wisest decisions for the use of their limited resources.

For a successful technology, reality must take precedence over public relations, for nature cannot be fooled.